2 files changed, 50 insertions, 2 deletions

diff --git a/settings/Controller/AuthSettingsController.php b/settings/Controller/AuthSettingsController.php
index 2f3d78b4d83..6eaa64cfac2 100644
--- a/settings/Controller/AuthSettingsController.php
+++ b/settings/Controller/AuthSettingsController.php
@@ -197,10 +197,18 @@ class AuthSettingsController extends Controller {
 	 *
 	 * @param int $id
 	 * @param array $scope
-	 * @return array
+	 * @return array|JSONResponse
 	 */
 	public function update($id, array $scope) {
-		$token = $this->tokenProvider->getTokenById((string)$id);
+		try {
+			$token = $this->tokenProvider->getTokenById((string)$id);
+			if ($token->getUID() !== $this->uid) {
+				throw new InvalidTokenException('User mismatch');
+			}
+		} catch (InvalidTokenException $e) {
+			return new JSONResponse([], Http::STATUS_NOT_FOUND);
+		}
+
 		$token->setScope([
 			'filesystem' => $scope['filesystem']
 		]);
diff --git a/tests/Settings/Controller/AuthSettingsControllerTest.php b/tests/Settings/Controller/AuthSettingsControllerTest.php
index 5c1280ff4b0..461b32b7a48 100644
--- a/tests/Settings/Controller/AuthSettingsControllerTest.php
+++ b/tests/Settings/Controller/AuthSettingsControllerTest.php
@@ -212,6 +212,10 @@ class AuthSettingsControllerTest extends TestCase {
 			->willReturn($token);
 
 		$token->expects($this->once())
+			->method('getUID')
+			->willReturn('jane');
+
+		$token->expects($this->once())
 			->method('setScope')
 			->with($this->equalTo([
 				'filesystem' => true
@@ -224,4 +228,40 @@ class AuthSettingsControllerTest extends TestCase {
 		$this->assertSame([], $this->controller->update(42, ['filesystem' => true]));
 	}
 
+	public function testUpdateTokenWrongUser() {
+		$token = $this->createMock(DefaultToken::class);
+
+		$this->tokenProvider->expects($this->once())
+			->method('getTokenById')
+			->with($this->equalTo(42))
+			->willReturn($token);
+
+		$token->expects($this->once())
+			->method('getUID')
+			->willReturn('foobar');
+
+		$token->expects($this->never())
+			->method('setScope');
+		$this->tokenProvider->expects($this->never())
+			->method('updateToken');
+
+		$response = $this->controller->update(42, ['filesystem' => true]);
+		$this->assertSame([], $response->getData());
+		$this->assertSame(\OCP\AppFramework\Http::STATUS_NOT_FOUND, $response->getStatus());
+	}
+
+	public function testUpdateTokenNonExisting() {
+		$this->tokenProvider->expects($this->once())
+			->method('getTokenById')
+			->with($this->equalTo(42))
+			->willThrowException(new InvalidTokenException('Token does not exist'));
+
+		$this->tokenProvider->expects($this->never())
+			->method('updateToken');
+
+		$response = $this->controller->update(42, ['filesystem' => true]);
+		$this->assertSame([], $response->getData());
+		$this->assertSame(\OCP\AppFramework\Http::STATUS_NOT_FOUND, $response->getStatus());
+	}
+
 }